Closed
Bug 1426312
Opened 7 years ago
Closed 7 years ago
Assertion failure: aTiming.Duration().ref() >= zeroDuration (Iteration duration should be positive), at /builds/worker/workspace/build/src/dom/animation/AnimationEffectReadOnly.cpp:108
Categories
(Core :: DOM: Animation, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla59
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox57 | --- | wontfix |
firefox58 | --- | wontfix |
firefox59 | --- | fixed |
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase)
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 5572465c08a9. OS|Linux|0.0.0 Linux 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 CPU|amd64|family 6 model 78 stepping 3|1 GPU||| Crash|SIGSEGV|0x0|0 0|0|libxul.so|mozilla::dom::AnimationEffectReadOnly::GetComputedTimingAt|hg:hg.mozilla.org/mozilla-central:dom/animation/AnimationEffectReadOnly.cpp:5572465c08a9|117|0x0 0|1|libxul.so|mozilla::dom::AnimationEffectReadOnly::GetComputedTiming|hg:hg.mozilla.org/mozilla-central:dom/animation/AnimationEffectReadOnly.cpp:5572465c08a9|273|0x13 0|2|libxul.so|mozilla::dom::AnimationEffectReadOnly::IsCurrent|hg:hg.mozilla.org/mozilla-central:dom/animation/AnimationEffectReadOnly.cpp:5572465c08a9|57|0x11 0|3|libxul.so|mozilla::dom::Animation::UpdateRelevance|hg:hg.mozilla.org/mozilla-central:dom/animation/Animation.h:5572465c08a9|278|0xa 0|4|libxul.so|mozilla::dom::KeyframeEffectReadOnly::SetAnimation|hg:hg.mozilla.org/mozilla-central:dom/animation/KeyframeEffectReadOnly.cpp:5572465c08a9|1814|0x10 0|5|libxul.so|mozilla::dom::Animation::SetEffectNoUpdate|hg:hg.mozilla.org/mozilla-central:dom/animation/Animation.cpp:5572465c08a9|183|0x18 0|6|libxul.so|nsAnimationManager::DoUpdateAnimations<ServoCSSAnimationBuilder>|hg:hg.mozilla.org/mozilla-central:layout/style/nsAnimationManager.cpp:5572465c08a9|651|0x14 0|7|libxul.so|nsAnimationManager::UpdateAnimations|hg:hg.mozilla.org/mozilla-central:layout/style/nsAnimationManager.cpp:5572465c08a9|1098|0x5 0|8|libxul.so|Gecko_UpdateAnimations|hg:hg.mozilla.org/mozilla-central:layout/style/ServoBindings.cpp:5572465c08a9|677|0x15 0|9|libxul.so|style::gecko::wrapper::{{impl}}::update_animations|hg:hg.mozilla.org/mozilla-central:servo/components/style/gecko/wrapper.rs:5572465c08a9|1333|0xf 0|10|libxul.so|style::context::{{impl}}::drop<style::gecko::wrapper::GeckoElement>|hg:hg.mozilla.org/mozilla-central:servo/components/style/context.rs:5572465c08a9|489|0x10 0|11|libxul.so|core::ptr::drop_in_place<style::context::ThreadLocalStyleContext<style::gecko::wrapper::GeckoElement>>|git:github.com/rust-lang/rust:src/libcore/ptr.rs:05e2e1c41414e8fc73d0f267ea8dab1a3eeeaa99|59|0x8 0|12|libxul.so|style::driver::traverse_dom<style::gecko::wrapper::GeckoElement,style::gecko::traversal::RecalcStyleOnly>|hg:hg.mozilla.org/mozilla-central:servo/components/style/driver.rs:5572465c08a9|143|0x5 0|13|libxul.so|geckoservo::glue::traverse_subtree|hg:hg.mozilla.org/mozilla-central:servo/ports/geckolib/glue.rs:5572465c08a9|273|0xb 0|14|libxul.so|geckoservo::glue::Servo_TraverseSubtree|hg:hg.mozilla.org/mozilla-central:servo/ports/geckolib/glue.rs:5572465c08a9|340|0xe 0|15|libxul.so|mozilla::ServoStyleSet::StyleNewSubtree|hg:hg.mozilla.org/mozilla-central:layout/style/ServoStyleSet.cpp:5572465c08a9|1015|0x8 0|16|libxul.so|nsCSSFrameConstructor::ConstructDocElementFrame|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:5572465c08a9|2557|0x8 0|17|libxul.so|nsCSSFrameConstructor::ContentRangeInserted|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:5572465c08a9|7938|0xe 0|18|libxul.so|nsCSSFrameConstructor::ContentInserted|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:5572465c08a9|7815|0xf 0|19|libxul.so|mozilla::PresShell::Initialize|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:5572465c08a9|1780|0x13 0|20|libxul.so|nsContentSink::StartLayout|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentSink.cpp:5572465c08a9|1289|0x17 0|21|libxul.so|nsHtml5TreeOpExecutor::StartLayout|hg:hg.mozilla.org/mozilla-central:parser/html/nsHtml5TreeOpExecutor.cpp:5572465c08a9|672|0xa 0|22|libxul.so|nsHtml5TreeOperation::Perform|hg:hg.mozilla.org/mozilla-central:parser/html/nsHtml5TreeOperation.cpp:5572465c08a9|1219|0xb 0|23|libxul.so|nsHtml5TreeOpExecutor::RunFlushLoop|hg:hg.mozilla.org/mozilla-central:parser/html/nsHtml5TreeOpExecutor.cpp:5572465c08a9|492|0x20 0|24|libxul.so|nsHtml5ExecutorReflusher::Run|hg:hg.mozilla.org/mozilla-central:parser/html/nsHtml5TreeOpExecutor.cpp:5572465c08a9|56|0xd 0|25|libxul.so|mozilla::SchedulerGroup::Runnable::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:5572465c08a9|395|0x1c 0|26|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:5572465c08a9|1039|0x15 0|27|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:5572465c08a9|508|0x11 0|28|libxul.so|mozilla::ipc::MessagePump::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:5572465c08a9|97|0xa 0|29|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:5572465c08a9|326|0x17 0|30|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:5572465c08a9|319|0x8 0|31|libxul.so|nsBaseAppShell::Run|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:5572465c08a9|157|0xd 0|32|libxul.so|XRE_RunAppShell|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:5572465c08a9|875|0x11 0|33|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:5572465c08a9|269|0x5 0|34|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:5572465c08a9|326|0x17 0|35|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:5572465c08a9|319|0x8 0|36|libxul.so|XRE_InitChildProcess|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:5572465c08a9|701|0x8 0|37|firefox|content_process_main|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:5572465c08a9|63|0x14 0|38|firefox|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:5572465c08a9|280|0x11 0|39|libc-2.23.so||||0x20830 0|40|firefox|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:5572465c08a9|165|0x5
Flags: in-testsuite?
Comment 1•7 years ago
|
||
Test case is as follows: <style> @keyframes a { } body { animation-name: a } </style> <script> try { document.styleSheets[0].insertRule("* { -webkit-animation: -7s }", false, null) } catch (e) {} </script> Reproduces even after replacing '-webkit-animation' with 'animation'. Does NOT reproduce with stylo disabled. Inspecting this in a debugger reveals we have mActiveDuration of -7000000000. So it would seem something is going wrong at the parsing stage. We should have rejected that value straight out (the spec says, "A negative <time> is invalid."[1]). We are using parse_non_negative as the parse method[2] but perhaps we fail to do that when parsing the shorthand?[3] [1] https://drafts.csswg.org/css-animations/#animation-duration [2] https://searchfox.org/mozilla-central/source/servo/components/style/properties/longhand/box.mako.rs#493 [3] https://searchfox.org/mozilla-central/source/servo/components/style/properties/shorthand/box.mako.rs#295
Keywords: regression
Priority: -- → P2
Assignee | ||
Comment 2•7 years ago
|
||
Yeah, this is stupid. Hiro just pointed me to this bug. Test-case is: <style> @keyframes a { } * { animation: a -7s } </style>
Assignee: nobody → emilio
Comment hidden (mozreview-request) |
Comment 4•7 years ago
|
||
mozreview-review |
Comment on attachment 8938258 [details] Bug 1426312: Make sure to honor parse_method in transition and animation shorthands. https://reviewboard.mozilla.org/r/209022/#review214704
Attachment #8938258 -
Flags: review?(bbirtles) → review+
Pushed by ecoal95@gmail.com: https://hg.mozilla.org/integration/autoland/rev/28f5cfda3e9a Make sure to honor parse_method in transition and animation shorthands. r=birtles
Comment 6•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/28f5cfda3e9a
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Updated•7 years ago
|
status-firefox57:
--- → wontfix
status-firefox58:
--- → wontfix
status-firefox-esr52:
--- → unaffected
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•